{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25988", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:41:55.858Z", "datePublished": "2026-02-24T01:48:29.928Z", "dateUpdated": "2026-02-28T02:08:29.771Z"}, "containers": {"cna": {"title": "ImageMagick's MSL image stack index not refreshed, leading to leaked images.", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7"}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"version": ">= 7.0.0, < 7.1.2-15", "status": "affected"}, {"version": "< 6.9.13-40", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T01:48:29.928Z"}, "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "source": {"advisory": "GHSA-782x-jh29-9mf7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-28T02:08:10.795352Z", "id": "CVE-2026-25988", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:08:29.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-28T02:08:10.795352Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:08:25.313Z"}}], "cna": {"title": "ImageMagick's MSL image stack index not refreshed, leading to leaked images.", "source": {"advisory": "GHSA-782x-jh29-9mf7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ImageMagick", "product": "ImageMagick", "versions": [{"status": "affected", "version": ">= 7.0.0, < 7.1.2-15"}, {"status": "affected", "version": "< 6.9.13-40"}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7", "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T01:48:29.928Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25988", "state": "PUBLISHED", "dateUpdated": "2026-02-28T02:08:29.771Z", "dateReserved": "2026-02-09T17:41:55.858Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T01:48:29.928Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6F44A65-1733-4752-AAD0-BCCC7BDBC877", "versionEndExcluding": "6.9.13-40", "vulnerable": true}, {"criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AFFD439-1068-4B6F-AE01-724AC62CDCEA", "versionEndExcluding": "7.1.2-15", "versionStartIncluding": "7.0.0-0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks. Versions 7.1.2-15 and 6.9.13-40 contain a patch."}, {"lang": "es", "value": "ImageMagick es un software libre y de c\u00f3digo abierto utilizado para editar y manipular im\u00e1genes digitales. Antes de las versiones 7.1.2-15 y 6.9.13-40, a veces msl.c no actualiza el \u00edndice de la pila, por lo que una imagen se almacena en la ranura incorrecta y nunca se libera en caso de error, causando fugas. Las versiones 7.1.2-15 y 6.9.13-40 contienen un parche."}], "id": "CVE-2026-25988", "lastModified": "2026-02-25T11:56:36.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T02:16:03.097", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "ImageMagick: ImageMagick: Denial of Service due to memory leak in image processing", "id": "2442101", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442101"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-911", "details": ["A flaw was found in ImageMagick. When processing certain images, the msl.c component fails to correctly update the stack index, causing an image to be stored in an incorrect memory location. This memory is then not properly freed, leading to memory leaks. A remote attacker could exploit this vulnerability by providing a specially crafted image, which can lead to a Denial of Service (DoS) condition."], "mitigation": {"lang": "en:us", "value": "To reduce the risk of memory exhaustion, it is recommended to avoid processing untrusted or maliciously crafted image files with ImageMagick. Deploying ImageMagick operations within a sandboxed environment with appropriate resource limits can further contain potential impacts from this vulnerability."}, "name": "CVE-2026-25988", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ImageMagick", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2026-02-24T01:48:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25988\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25988\nhttps://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-782x-jh29-9mf7"], "statement": "MODERATE: A flaw in ImageMagick can lead to memory leaks when processing images. This issue arises because the MSL image stack index is not consistently refreshed, causing images to be stored in incorrect memory locations and not properly deallocated. Red Hat products utilizing ImageMagick for image manipulation may experience resource exhaustion under specific processing conditions.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.1.2-15)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.9.13-40)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ImageMagick", "source": "cna", "vendor": "ImageMagick"}, "product": "imagemagick", "vendor": "imagemagick"}], "analysis": {"en": {"generated_at": "2026-04-17T15:57:34.649170+00:00", "value": {"mitigation_remediation": ["Upgrade ImageMagick to 7.1.2\u201115 or later, or 6.9.13\u201140 or later to apply the patch.", "If upgrading is not immediately possible, restrict the processing of external images to a sandboxed environment to contain potential memory exhaustion.", "As a last resort, disable functionalities that rely on msl.c (e.g., image stack manipulation operations) until a patched version is available."], "summary": {"action": "Patch Immediately", "impact": "Memory Leak Causing Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of ImageMagick prior to release 7.1.2\u201115 and 6.9.13\u201140. It exists in the msl.c module that manages image stack indices, regardless of the host platform.", "description_and_impact": "A flaw in ImageMagick\u2019s msl.c component prevents the stack index from being refreshed on error, causing an image to be stored in the wrong slot and never freed. This results in a memory leak (CWE\u2011401) and an uninitialized data exposure (CWE\u2011911). The continual leaking of memory can eventually exhaust system resources, potentially leading to denial of service for applications that rely on the library.", "risk_and_exploitability": "With a CVSS base score of 5.3 the flaw is considered moderate. The EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is through image processing operations\u2014such as conversion, resizing, or other manipulations\u2014performed on user\u2011supplied images, which may be triggered remotely if the application accepts untrusted content."}}}}, "created": "2026-02-24T09:53:39.079876+00:00", "updated": "2026-04-17T16:00:11.388635+00:00", "vendors": ["imagemagick", "imagemagick$PRODUCT$imagemagick"]}